Nation-State and Crime Groups Keep Blending, Europol Warns

Steven Wilson, head of Europol's EC3, speaks on March 27 in Edinburgh, Scotland. (Photo: Mathew Schwartz)

Distinguishing nation-state attacks from organized crime continues to grow more difficult because some attackers wear both hats, a Europol official reports. Further complicating the picture: Young attackers enjoy access to ever-more sophisticated and inexpensive tools and services.

"The problem we see now is that ... you can be nation-state by day, organized crime by night. You have a mandate to operate as long as you don't do anything in your own country," said Steven Wilson, head of Europol's European Cybercrime Center, speaking Wednesday at the fifth annual ScotSecure cybersecurity conference in Edinburgh, Scotland.

Europol's EC3 works to help EU member states and other partners stop cybercrime, albeit in a supporting role, by gathering and providing intelligence as well as providing real-time operational support.

"We're not the European FBI; we're not allowed to go and kick in doors," Wilson said. He joined Europol in 2016 after serving for 30 years with Police Scotland, working in roles that ranged from major investigations and counterterrorism to covert policing.

Law Enforcement Intelligence

Europol includes representatives from law enforcement bodies inside all 28 EU member states, as well as international partners, including the FBI. Of course, many of them do have cause to kick down doors in the course of their investigations.

Meanwhile, cybercrime tools and tactics continue to change at a rapid pace. Wilson said that every four years, his Europol counterterrorism and organized crime colleagues release a major new report on the trends they see, while his group publishes an annual report: EC3's Internet Organized Crime Assessment (see: Cybercrime: 15 Top Threats and Trends).

Take online scams: "Nigerian prince" and 419 scams once dominated. Increasingly, however, Europol sees these groups evolving to use more advanced phishing attacks, including business email compromises, to steal not just hundreds or thousands of dollars but sometimes much more.

At Europol, three operations teams at EC3 respectively collect cyber intelligence, track major cyberattacks - such as WannaCry, NotPetya, and attacks on the banking system targeting users of the SWIFT interbank messaging system - as well as online child sexual abuse. Wilson said the latter is arguably his group's most important work.

A new team at EC3 also looks at threats and challenges associated with the dark web, such as suppliers of fentanyl and child-abuse material, which he said "is endemic across the web."

Europol also helps coordinate investigations and disrupt everything from darknet marketplaces to money mule operations. "We were heavily involved in the takedowns of the AlphaBay and Hansa markets," Wilson said, noting that Europol is also looking for cases "where we can destabilize this huge threat to the population."

Cybercrime: Faster, Cheaper

But the state of attack tools is such that individual attackers can increasingly destabilize businesses as well as a nation's critical infrastructure.

"Ultimately a large portion of cybercrime relates to financial benefit," said Stephen Wilson, speaking at the ScotSecure conference in Edinburgh on March 27. "They need to cash out at some point."

For example, Wilson noted that last year, the banking system in the Netherlands - where he and Europol are based - was disrupted by distributed denial-of-service attacks. Dutch banks ABN Amro, ING and Rabobank were targeted.

Some commentators suggested, without any evidence, that the attacks had been launched by Russia after press reports surfaced that Dutch intelligence had been the first to warn its U.S. counterparts that the Democratic National Committee had been hacked by Russia's Cozy Bear hacking team in 2015 (see: Steele Dossier Case: Expert Traces Spear-Phishing of DNC).

But was Russia involved? "No, it was an 18-year old teenager from Leiden," Wilson said, referring to Dutch authorities having arrested a suspect in the southern Dutch city in January 2018. "Five years ago, that would have been a nation-state attack."

Target: Ringleaders

Europol is helping to coordinate cases and more actively bring them to fruition, with Wilson saying many now get closed within a year. Identifying and detaining ringleaders also remains a major goal, as happened via the AlphaBay and Hansa disruptions.

"Unless we can take these guys at the top level, they will continue to act with utter impunity," Wilson said.

"Ultimately, a large portion of cybercrime relates to financial benefit," Wilson said. "They need to cash out at some point."

During Europol's European Money Mule Action IV campaign, which ran last September to November, Wilson said police in Europe made 168 arrests and identified 140 money mule organizers as well as 1,504 money mules.

No More Ransom Project

In February, No More Ransom released a free decryptor to unlock files infected with GandCrab, up to version 5.1.

The No More Ransom project that Europol helped launched in July 2016 continues to provide ransomware victims with free crypto-locked file decoders. Wilson said of the impetus: "We discovered that we were recovering keys from particular cases," while at the same time security firms were discovering weaknesses in ransomware crypto that they could use to build working decryptors.

No More Ransom now has 136 partners and a website that offers content in 36 languages. To access the decryptors, victims only have to upload two files - to see if they can be recognized and if a working decoder is available.

Brexit Uncertainty

Amidst the backdrop of Brexit uncertainty, Wilson declined to comment on Britain's planned departure from the EU.

"As a police officer I need to remain quite neutral on that one," he said in response to an audience question. "But security should be non-negotiable. ... I would hope that the security argument falls out of everything that's going on right now."

But Wilson said that even in a worst-case scenario, there are multiple ways of working with Europol. "You don't need to be a member state" to collaborate, he said, referring to the U.S., Australia, Canada and others who have law enforcement liaisons stationed at Europol headquarters in The Hague, Netherlands.

On the flip side, however, he said that criminals love to prey on uncertainty, of which there is an ample amount in circulation due to the Brexit debate.

"Anytime you've got people looking somewhere else, it's a potential opportunity for attacks to come," he said. "You have a perfect situation now to come at something from the opposite end."

About the Author

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.co.uk, you agree to our use of cookies.